Context: Configuration Integrity
Goals: When the configuration of a system is modified outside of normal processes, system must be able to detect the unauthorized modification, and must be recoverable to a pre-modified state using a pre-determined configuration. No more than an acceptable data loss should result from the unplanned configuration. The recovered system must be capable of meeting all pre-modification functional and non-functional requirements. Sufficient logging and auditing must be in place to determine the source of the modification. The response to unauthorized modification must follow a pre-determined process or plan.
Rationale: If the confidentiality and integrity of the data managed by the system is sufficiently critical, the system must have the ability to prevent unauthorized modifications to system configuration and data, the system must be able to determine the source of system modifications, and the system must be capable of being recovered from unauthorized configuration changes with functionality identical to a pre-modified state.
Requirement: Unauthorized modification of the configuration of the system and system managed data shall be recoverable to a point in time of Metric. System changes will be logged to Metric. The response to modification of system configuration or system managed data shall meet Metric.
Metric:
Level A:
A1. A non-refutable log of all access and modifications to IT system configuration will exist that contains action performed, individual, IP address, date, and time for a period of one year
A2. Administrative activities that could result in the ability for a single person to commit or conceal fraud must be distributed to more than one individual.
A3. The Incident Response process, as defined in Operating Instruction 5.23.1.4, is tested annually.
Level B:
B1. A non-refutable log of all access and modifications to the IT system configuration by accounts with privileges sufficient to modify IT system configuration will exist and contain action performed, individual, IP address, date and time for a period of one year.
B2. No more than one business day of system modifications will be lost.
B3. Access and modification of IT system configuration will be conducted using privileges limited to the minimum required to complete the activity.
Level C:
This Level Intentionally Left Blank
Level D:
D1. The recovered IT system will meet all pre-modification functional and non-functional requirements.
D2. The IT system will meet Operating Instruction 5.23.1.8, Anti-malware Installation and Management
D3. A process exists that meets Operating Instruction 5.23.1.4, Information Security Incident Response
D4. IT Systems performing storage, business logic, or unencrypted transmission of data classified as Highly Restricted or Restricted must be administered by personnel using least privilege
Scale:
Log Content: Log contains Action performed, Individual, IP address, date and time
Log Retention: Duration, Days
Stakeholders: System Managers, Operations, System Users
Implications: If this requirement is not met, the organization will incur significant risk of loss of business functionality and data in the event of unplanned configuration modifications.
Applicability: See Enterprise Requirements Framework
Tags: Security, Configuration
Status: Approved, Requirement
Author: <Author>
Revision: <Revision>
Note:
Incorporates the traditional concepts of Configuration Management, Change Management (portions of), security auditing, Business Activity Logging, Intrusion Detection/Prevention and Malware Detection/Prevention, and security incident handling.
The intent of this requirement is to ensure that the system is designed so that:
- The system can support/enable least privilege and role based system configuration.
- Configuration changes are detectable. This implies that technologies such as routine, scheduled, continuous, or near-continuous configuration auditing.
- Auditing of changes in configuration creates an immutable audit trail, and the audit trail is properly secured.
- The configuration of a system can be recovered back to the state that the system was in prior to the modification.
For more information, see NFR Summary